Extension Field Cancellation A New MQ Trapdoor Construction - PowerPoint PPT Presentation

Extension Field Cancellation A New MQ Trapdoor Construction February 2016 Alan Szepieniec 1 , Jintai Ding 2 , Bart Preneel 1 1: KU Leuven, ESAT/COSIC first.secondname@esat.kuleuven.be 2: University of Cincinnati, jintai.ding@uc.edu 1/24

Outline • Introduction • Extension Field Cancellation • Basic Trapdoor • Frobenius Tail • Attacks and Defenses • Bilinear Attack • Algebraic Attack – Minus • Differential Symmetry – Projection • Security & Efficiency • Security Estimation • Implementation Results • Conclusion 2/24

Multivariate Quadratic Cryptosystems • public key: P ∈ ( F q [ x 1 , . . . , x n ]) m • public operation: evaluate in x ∈ F n q • secret key: ( S, T, F ) where S ∈ GL n ( F q ) , T ∈ GL m ( F q ) , F ∈ ( F q [ x 1 , . . . , x n ]) m such that P = T ◦ F ◦ S • private operation: invert S, F , T — all easy! encryption or signature verification P public knowledge private knowledge S F T decryption or signature generation 3/24

Single-Field Schemes • all arithmetic occurs in F q • canonical example: UOV   � o � � o � o T v T � o T v T � � � • F i ( o , v ) = = F i   v v • invert F ( o , v ) = y : • fix v at random • solve F ( o , v ) = y for o • linear system! 4/24

Mixed-Field Schemes • arithmetic occurs in F q as well as in F q n ∼ = F q [ z ] / � p ( z ) � • canonical example: HFE • let ϕ ( x ) : F n q → F q n : x �→ X = x 0 + x 1 z + . . . x n − 1 z n − 1 j<d α i,j X q i + q j + � k<d β k X q k + γ • let f ( X ) = � � i<d • F ( x ) = ϕ − 1 ◦ f ◦ ϕ ( x ) • or for simplicity: F ( X ) = f ( X ) • invert F ( X ) = Y : • factorize the polynomial F ( X ) − Y • choose a root X r such that F ( X r ) − Y = 0 5/24

MQ Encryption Schemes • ZHFE • mixed-field • 2 high-degree polynomials F ( X ) and ˆ F ( X ) linked to 1 low-degree polynomial Ψ( X ) • inversion: factorize Ψ( X ) • ABC / Simple Matrix Encryption • single-field, but embeds matrix algebra • reduces inversion to linear system solving • Extension Field Cancellation (EFC) • mixed-field • 2 high-degree polynomials • reduces inversion to linear system solving !! All three are expanding maps F n q → F 2 n !! q 6/24

EFC: Basic Trapdoor • let ϕ m : F n q → F n × n map a vector x ∈ F n q to the matrix q representation of X ∈ F q n . • let A, B ∈ F n × n be matrices and q α ( X ) = ϕ ( A x ) , β ( X ) = ϕ ( B x ) • Central map: � ϕ m ( A x ) x � � α ( X ) X � F = = ϕ m ( B x ) x β ( X ) X 7/24

EFC: Basic Trapdoor Central map: � ϕ m ( A x ) x � � α ( X ) X � F = = ϕ m ( B x ) x β ( X ) X How to invert? � α ( X ) X � � D 1 � F ( X ) = = β ( X ) X D 2 Solution: β ( X ) D 1 − α ( X ) D 2 = 0 i.e. , solve for x : ϕ m ( B x ) d 1 − ϕ m ( A x ) d 2 = 0 which is a linear system. 8/24

Enhanced Trapdoor • key idea: use Frobenius isomorphism • disadvantage: restricted to characteristic 2 only � α ( X ) X + β ( X ) 3 � E ( X ) = β ( X ) X + α ( X ) 3 9/24

Enhanced Trapdoor: Inversion How to invert? � α ( X ) X + β ( X ) 3 � � D 1 � E ( X ) = = β ( X ) X + α ( X ) 3 D 2 Solution: solve for X : α ( X ) D 2 − β ( X ) D 1 = α ( X ) 4 − β ( X ) 4 or for x : α m ( x ) d 2 − β m ( x ) d 1 = Q 2 ( A x − B x ) where Q 2 ∈ F n × n is the matrix associated with the Frobenius q transform X �→ X 4 . 10/24

Bilinear Attack � α ( X ) X � � Y 1 � • basic variant: F ( X ) = = β ( X ) X Y 2 • bilinear relation: β ( X ) Y 1 = α ( X ) Y 2 • there exists coefficients K i , L i ∈ F q n such that n − 1 X q i ( K i Y 1 + L i Y 2 ) = 0 � i =0 • attack: • generate many tuples ( X , Y 1 , Y 2 ) • compute K i and L i using linear algebra • given a ciphertext Y = ( Y 1 , Y 2 ) and given the coefficients K i , L i , computing X is easy 11/24

Other Attacks and Defenses • same basic idea • protect against Bilinear Attack: minus • protect against Algebraic Attack: more minus • protect against Differential Symmetry Attack: projection • EFC − p , EFC − pt 2 12/24

Algebraic Attack • Algebraic Attack: decent Gr¨ obner bases algorithms ( e.g. F 4 , F 5 , MutantXL) • Running time depends on degree of regularity • D reg depends on rank of quadratic form � X T F 1 X � X T = ( X , X q , X q 2 . . . X q n − 1 ) F ( X ) = where e.g. X T F 2 X 13/24

Rank of Extension Field Quadratic Form F 1 = α ( X ) X ∼ F ◦ S ∼ rank = 2 rank = 2 (change of basis) T ◦ F ◦ S ∼ full rank T ( X ) = � t i X q i T ◦ F ( X ) = � t i � q i X T F X � 14/24

Fast Gr¨ obner Basis F 4 • F 4 implicitly recovers T 15/24

Minus • solution: drop a rows from T • F 4 can only recover n − a rows of T F 4 • rank r = 2 + a • drawback: guess a values during decryption 16/24

Effect of Minus • fixed n = 35 65536 16384 4096 1024 time 256 64 16 4 1 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 number of applications 17/24

Decryption Errors 1 a = 10 a = 12 a = 8 0.8 a = 6 0.6 error rate a = 4 0.4 a = 2 0.2 a = 0 0 1 5 10 15 20 25 n 18/24

Differential Symmetry Attack • D F ( x , y ) = F ( x + y ) − F ( x ) − F ( y ) + F ( 0 ) • symmetry ⇔ ∃ Λ , L . D F ( L x , y ) + D F ( x , L y ) = Λ D F ( x , y ) • broke SFLASH • solution (pSFLASH): S must be singular and n prime • EFC p : • rank ( A ) = rank ( B ) = n − 1 • n is prime • and ker ( A ) ∩ ker ( B ) = { 0 } 19/24

Estimating Security • algebraic attack: Gaussian elimination in matrix with � n � T = monomials D reg � n � • τ = nonzero terms per row 2 • complexity of Wiedemann algorithm: O ( τT 2 ) • D reg ≤ ( q − 1)( r + a ) + 2 2 t 2 n q a D reg security 83 2 10 8 82 83 2 8 8 82 59 3 6 10 82 20/24

Decryption Time as a Function of a 256 64 decryption time (seconds) 16 4 1 0.25 0.0625 0.015625 0.00390625 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 a 21/24

Algebraic Attack Time • implementation in Magma (has F 4 ) 65536 EFC − p , a = 10 16384 EFC − pt 2 , a = 8 4096 1024 256 64 time 16 4 1 0.25 0.0625 0.015625 15 20 25 30 35 38 n 22/24

Implementation Results construction sec. key pub. key ctxt. EFC − p , q = 2 , n = 83 , a = 10 48.3 KB 509 KB 20 B EFC − pt 2 , q = 2 , n = 83 , a = 8 48.3 KB 523 KB 20 B EFC − p , q = 3 , n = 59 , a = 6 48.8 KB 375 KB 28 B construction key gen. enc. dec. EFC − p , q = 2 , n = 83 , a = 10 2.45 s 0.004 s 9.074 s EFC − pt 2 , q = 2 , n = 83 , a = 8 3.982 s 0.004 s 2.481 s EFC − p , q = 3 , n = 59 , a = 6 2.938 s 0.004 s 12.359 s 23/24

Conclusion • extension field cancellation (EFC) • MQ mixed field trapdoor construction • generate a pair of high-degree quadratic polynomials • uses commutativity of extension field to cancel the polynomials’ complexity • end up with a linear system • modifiers • Frobenius Tail in char 2 (speed) • Minus (protects against Algebraic Attack) • Projection (destroys Differential Symmetry) • future work • get rid of Minus modifier • better security argument • shrink public keys • hardware implementation 24/24